Computational vulnerability assessment is generally considered an exploratory activity: various ways of computing the possible evolutions of the systems in- volved are tried out, the models representing the systems are often changed, and different ways of assessing harm, impacts or sensitivity are used. One of the most important problems in all these changes is that of the type of
7.2. MEASURES OF HARM ON MONADIC STRUCTURES 113
the measure function, which is estimating a structure of possible harms, or impacts, along a trajectory of states. When the system giving us this tra- jectory changes, for example, when a deterministic system is replaced by a stochastic one, the harm function generally does not need to change: its type remains [X ] → V , but the measure function has to change: the new type is given by the monad of the new system. In our example, initially we had measure :: Id V → W , and after the change measure :: SimpleProb V → W . It is interesting, especially when comparing the results of these explo- rations, to know whether the measures used are in some sense compatible. Further, it would be desirable if one could take advantage of an existing measure function in order to devise others which are compatible with it, but work on different structures.
The feasability of this depends on the precise sense of “compatible”. Since we are assuming that W is a partially ordered set, we have that any vulnerability measure m :: M V → W induces a preorder on M V : mv1 vM V mv2 ≡ m (mv1) vW m (mv2). In order to decide whether two
measures with the same target defined on different structures of the same underlying set, m1:: M1 V → W and m2:: M2 V → W are compatible or
not, we can examine the preorders they induce on their sources. Let us give some examples.
1. If X is a set and M is a monad, a preorder vX on X can be considered
compatible with a preorder vM X on M X if
∀ x1, x2:: X : x1 vX x2 ≡ (return x1) vM X (return x2)
2. The preorder v1 on [R] given by
xs1 v1xs2 ≡ (average xs1 ) 6 (average xs2 )
seems to be more compatible with the preorder v2 on SimpleProb R
given by
sp1v2 sp2≡ (expected sp1) 6 (expected sp2)
than with the preorder v3 on SimpleProb R given by
sp1v3 sp2≡ (likeliest sp1) 6 (likeliest sp2)
where likeliest sp chooses the greatest real number assigned the great- est probability (ties between equally likely elements are broken by using max )
3. It seems reasonable to consider that the preorder v3 above is compat-
114 CHAPTER 7. MONADIC SYSTEMS AND VULNERABILITY
sf1 v4 sf2≡ (highestDeg sf1) 6 (highestDeg sf2)
where highestDeg sf returns the real number with the greatest degree of membership to sf and ties are broken, as with v4, by using max .
On the other hand, v3 does not seem intuitively to be compatible with
v5 where
sf1 v5 sf2≡ (cog sf1) 6 (cog sf2)
where cog sf computes the “center of gravity” of the fuzzy set sf (similar to taking the expected value in SimpleProb R).
The reason the choices made in these examples between compatibility and non-compatibility seem so obvious is probably that in each case, al- though we have not made it explicit, we have a transformation between two different types of structure. The transformation is natural: in programming terms, the functions it defines are polymorphic, and injective: all functions in the transformation have left inverses. In each case, the preorders are judged compatible when both the transformation between the structures and its left inverses, restricted to the image of the transformation, are monotonous, and otherwise they are classified as incompatible. In other words, we can take the following as definitions of “compatibility”.
Definition 17 Compatible preorders.
Let M and N be functors and τ :: M a → N a be an injective natural transformation. Two preorders vM on M X and vN on N X are compat-
ible with respect to τ if M X and the image of M X under τ are order isomorphic, that is
mx1 vM mx2 ≡ τ (mx1) vN τ (mx2)
Definition 18 Compatible vulnerability measures.
Two vulnerability measures m1:: M1 V → W and m2:: M2 V → W are
compatible with respect to an injective natural transformation τ :: M1 a → M2 a if the preorders induced by them are compatible with respect to τ .
We can now state the main result about “translating” vulnerability mea- sures from one type of structure to another.
Theorem 9 Translating vulnerability measures.
Let τ :: M a → N a be an injective natural transformation, and let τ−1::N a → M a be a left inverse of τ which is also a natural transformation. Then:
1. If mM::M V → W is a vulnerability measure, then mM·τ−1::N V →
7.2. MEASURES OF HARM ON MONADIC STRUCTURES 115
2. If mN::N V → W is a vulnerability measure, then mN·τ ::M V → W
is a vulnerability measure compatible with it with respect to τ .
Proof.
1. Let inc :: V → V be an increasing function, and nv :: N V . We have
mM (τ−1 (N inc nv ))
= { naturallity of τ−1 } mM (M inc (τ−1 nv ))
v { mM vulnerability measure }
mM (τ−1 nv )
and therefore, mM · τ−1 is a vulnerability measure.
Remark. Since only the naturality of τ−1 has been used, we have the more general result that the composition of a vulnerability measure with a natural transformation is a vulnerability measure.
Let mv1, mv2:: M V . We have mM mv1 v mM mv2 ≡ { τ−1· τ = id } mM (τ−1 (τ mv1)) v mM (τ−1(τ mv2)) ≡ { function composition } (mM · τ−1) (τ mv1) v (mM · τ−1) (τ mv2)
therefore, mM and mM · τ−1 are compatible with respect to τ .
2. mN · τ is a vulnerability measure, as shown above.
Let mv1, mv2:: M V . We have
(mN · τ ) mv1 v (mN · τ ) mv2
≡ { composition }
mN (τ mv1) v mN (τ mv2)
which shows that mN · τ and mN are compatible with respect to τ .
The “compatibility” between the examples with which we started and the formal definitions above is summarized in the following proposition.
Proposition 6 Examples of compatibility.
116 CHAPTER 7. MONADIC SYSTEMS AND VULNERABILITY
1. vX and vM X are compatible with respect to return if return is injec-
tive. They are compatible with respect to an injective inverse of return, if one exists.
2. average and expected are vulnerability measures, compatible with the following natural transformation:
l1ToSP :: List1 x → SimpleProb x
l1ToSP xs = SP [(x , p) | x ← xs ] where p = 1.0 / realToFrac (length xs) The preorder v3, induced by likeliest which is not a vulnerability mea-
sure, is not compatible with the preorder induced by average, v1.
3. v3 and v4 are compatible with respect to the natural transformation
spToSF :: SimpleProb x → SimpleFuzzy x spToSF (SP xs) = SF xs
The preorder v5 induced by cog , which is a vulnerability measure, is
not compatible with v3 with respect to spToSF , but is compatible with
v2.
The proofs are just routine verification of the definitions involved.